问题描述
我正在尝试配置云构建触发器,该触发器将构建 maven springboot 项目,然后将其部署到云运行中.当我未指定要连接的云sql实例时,我遇到了一个可行的问题,但是当我添加"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}"
作为args之一时,它在云构建上引发了错误,如下所示:
I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs. I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}"
as one of the args, it throws error on cloud build as follows:
Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1
以下是我的cloudbuild.yml
steps:
- name: 'gcr.io/kaniko-project/executor:latest'
args:
- --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
- --cache=true
- name: 'gcr.io/cloud-builders/gcloud'
args: [
"beta", "run",
"deploy", "${_SERVICE_NAME}-${_PROFILE}",
"--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
"--region", "${_REGION}",
"--platform", "managed",
"--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
"--allow-unauthenticated",
"--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
]
images:
- gcr.io/${PROJECT_ID}/${_IMAGE_NAME}
并且我已经为服务帐户设置了以下角色/权限:
and I already set roles/permission for service account as follow:
-
{PROJECT_ID}-compute@developer.gserviceaccount.com
:Cloud Sql Client编辑器<-默认SA -
<Cloud run service agent>
:Cloud Run Service代理,Cloud SQL客户端 -
<Cloud Build SA>
:Cloud Build SA,Cloud Run Admin
{PROJECT_ID}-compute@developer.gserviceaccount.com
: Editor, Cloud Sql Client <-- Default SA<Cloud run service agent>
: Cloud Run Service Agent, Cloud SQL Client<Cloud Build SA>
: Cloud Build SA, Cloud Run Admin
我的Cloud Run服务还使用默认服务帐户作为其SA
My Cloud Run service also use default service account as its SA
推荐答案
确保您还为Cloud Build Service帐户赋予了iam.serviceAccountUser
角色,从而可以在构建期间模拟Cloud Run运行时服务帐户. /p>
Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser
role, allowing it to impersonate the Cloud Run runtime service account during the build.
gcloud iam service-accounts add-iam-policy-binding
PROJECT_NUMBER-compute@developer.gserviceaccount.com
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com"
--role="roles/iam.serviceAccountUser"
有关更多信息,请参见云运行部署权限信息.
See Cloud Run deployment permissions for more info.
这篇关于当部署到以"--set-sql-instance"运行时,云构建许可被拒绝.争论的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!